Too long; didn't read summary

Privacy issues are of paramount importance to customers so, by default, it should be important to organizations operating in the digital landscape. Understand the implications, have the right policies, and make sure they are being followed.

  • Don’t ask for more info than you absolutely need.
  • Don’t assume your customers share the same attitudes about privacy.
  • Have a real privacy policy, not just a boilerplate, and make sure your front-line staff understand it.
  • Obey the golden rule; care for others’ info as you would want your own treated.
  • Stay up to date.

Let’s start simple. Your name.
What value would you put on your name?

We will spend money, go to court or risk injury and go to battle to protect or defend our name. We mark someone’s achievement and show respect by putting their name on buildings, roads and even mountains. A name has value because of what it represents about a person. Their name becomes their reputation and their honour.

Our name has value because of what it means, but also because of what it does.

It makes us unique; it’s how we identify ourselves, and how others identify us. Whatever else about us might change, our age, height, weight or appearance, our name remains the same. The sharpest scalpel or latest fad diet can change many things about you, but not your name.

Our name is how people find us and know when they have, as only we can say “yes that’s me”, when asked our name. It is often the first thing people learn about us and can also be the most important thing, giving great value to our name for anyone who wants to contact or find us.

Our name is what we also must change to avoid being found, as it cannot be disguised. When you change your name, to the rest of the world you become a different person.

$560 million doesn’t go as far you’d expect – in New Hampshire anyway.

With all that means and all that it does, what is your name worth to you? Does $560 million seem like enough?

It wasn’t for one person.

On 6 January 2018, a person came forward with a winning ticket for $560 million jackpot in the New Hampshire Powerball lottery. Despite losing interest of at least $50,000 a day, as of this writing, she had yet to receive the money – by choice. The winner had to decide the value of her name in order to collect her winnings and wouldn’t agree to the bargain she would have to make.

To receive the jackpot, she would have to agree that her name would be made public.  For her, it was not enough that she would get $560 million as a result. She didn’t ask for different compensation. Instead she has filed suit as “Jane Doe” challenging the rule that to receive her lottery winnings, her name must be made public.

The rule in New Hampshire lottery is the same with most lotteries.  The winner’s name is needed for two reasons.  The lottery must maintain its integrity and encourage people to keep buying tickets.  The winner’s name lets the lottery do both. It confirms that someone really did win, and seeing a lottery winner holding a huge cheque for a huge amount makes people keep hoping and keep buying lottery tickets. The winner’s name is what keeps the lottery going.

This means that the bargain is that in exchange for the use of their name this way, a lottery winner will receive the jackpot.

The New Hampshire winner understood this bargain and how her name would be used by the lottery.  The problem for her was about what other uses might be made of her name after it was made public.  Because of the unexpected ways other people might use her name and the risks she would face as a result, she couldn’t agree the bargain.

Who could blame her?

Not only have previous lottery winners been the victim of theft, fraud, extortion and endless demands for money from people they haven’t met or didn’t remember were related, some have suffered physical attacks, injury and been killed after people learned about and made contact with them because of their lottery luck.  The lottery operator could do nothing to address this concern so long as the existing rule was enforced.

We all spend like lottery winners every day.

While the example is extreme, the same worry can exist for anyone in the bargain we all make every time we are asked for any personal data.  This includes website visitors when they give their email address for a mailing list, to make contact, subscribe for access or to receive a service, or buy something online.

When someone gives their information for any of these reasons, the value of what they will get is at least equal to the value of the information they give, because of how they expect their information to be used as a result.  If there is a reason to think it could be used in other ways, the risks of such unexpected use might be too high for someone to feel they have received enough in return to balance out what they have given. Concerns about how their information will be used by you, if you will share their information with third-parties or what else you could find out about them from the information they give you, could all result in the risk being higher than what they’ll receive in return.

In New Hampshire, even her name was too much to ask.

We know people are listening all the time, it doesn’t mean we’re paranoid.

The concern people have about what else you might be able to find out after they give you their name comes from increased awareness and concern about invasions of privacy in all aspects of our lives.

The potential for invasion of privacy seems to be everywhere from CCTV cameras on the street to the things we buy and are in our homes. It’s no longer means you could be paranoid or a believer of conspiracy theories to accept how easy it might be for someone to invade your privacy and get information about you.

Whether that means someone will actually do so, by using our laptop, smart TV, mobile phone or that new thing sitting on a table that answers the questions we ask, at some level we think it’s possible.

Whatever risk might actually exist or however we each feel about that, issues of privacy and concerns about the use of information will affect what information you ask them to provide online, and how reluctant they are to provide information or question why it is being requested and how it will be used.

For the lottery winner, there was nothing the lottery operator could say to reassure, as it was the actions of other people and their unexpected use of information that was the risk for her.

We expect the unexpected, but that only makes it worse.

The same risk can be felt by any of us, as there are obvious reasons to worry about unexpected use of information by unexpected people.

We can start with any recent accidental disclosure of private information which are common and seem to always involve human error or poor employee practices.

Then, there are companies which intentionally misuse or disclose personal data, often for the company’s financial gain.

The most difficult reasons for concern are from companies that do something with information which causes concern, not because it is illegal, but because it was unexpected. This can be how the information was used or because the company used information we didn’t realise they had. It can sour or erode the relationship that consumers had with the company. Some recent examples show how this can happen.

When Netflix and Spotify acted like our friends – for the wrong reason.

When someone who (we assume no longer) works for Netflix posted a company tweet in December 2016 saying, “To the 53 people who’ve watched A Christmas Prince every day for the past 18 days: Who hurt you?” some people saw the humour.  More people thought it was creepy and a bit snarky.

Netflix subscribers might also wonder just how closely Netflix was watching them at the same time they watched Netflix. It wasn’t a secret that viewing history was tracked by Netflix as that’s how the site makes recommendations. What was unexpected was the reminder that someone was watching and keeping track, and that the information could be used that way.  Not many would expect their Netflix subscription would be used to poke fun and mock them. That’s what expect from your friends and family. Not from Netflix.

Netflix was following the clumsy example of Spotify’s 2016 ad campaign in which they shared insights taken from customer data. Some of the insights were very personal such as the billboard that said: “Dear person who made a playlist called: ‘One Night Stand With Jeb Bush Like He’s a Bond Girl in a European Casino.’ We have so many questions.” Imagine being the customer who created that playlist. This person probably didn’t expect that information Spotify had about them would be plastered on a billboard or come with a side of sarcasm.

The best/worst example of unexpected use of customer information comes for Uber and their company blog about “rides of glory” (their phrase, not ours). The blog post was (remarkably) about various customers’ one-night stands which Uber was apparently aware of and tracking.  Is further comment required about how unexpected this would have been?

Sometimes saying you didn’t break the law makes it all worse.

When these companies saw a negative reaction, they all responded by confirming that there was no breach of privacy rights in how information had been used and it was also covered by what customers had agreed to when they clicked “accept” on the company’s terms and conditions.

What that also confirmed was that they all missed the point and didn’t see what else might have been a reason for concern. The erosion of trust that users now have in those brands.

It’s unlikely that it many people even cared whether the companies used the information legally or not. It was that the fact that the companies showed that they would publicize private information about their customers in ways we didn’t expect just to sell more products. In doing so, they made their customers (and the company) look stupid. In relation to Netflix and the smug tone of their original tweet, the irony is remarkable.

The greater concern the companies didn’t acknowledge was that this was not the bargain people agreed to when they handed over their name and other private information.

When you look at all the different factors and reasons for concern, what can you do to respond to each person’s personal level of comfort and be able to agree the bargain with them?

3 suggestions and 2 steps to deal with someone else’s mess

1. Acknowledge that different concerns will exist and be prepared to answer them.

By asking what you can do to respond to each person and their individual concerns, you’ve already got most of the answer.

It means that you understand you shouldn’t make assumptions about privacy concerns, as they will be different for each person because of their own experience and background.

You should also see that your response can’t be just ticking a box that you have policy in place that you can look at if the issue comes up.  The policy is a resource, not a solution. You have a legal obligation to have a policy in place. (See GDPR.) That’s not the same obligation which you have to people who agree to give you their information.

When you understand that a range of concerns could exist, you then make decisions about your website and prepare for interactions with website visitors.  You anticipate what those concerns might be about, and the tone and content of what response you might make and what else could be done to address any concerns on your website already.

You can also understand what information you are asking for and justify why you need it, rather than just want it. This is what a customer might ask. You can also check if you are getting more information than you need, as you really don’t want to be responsible for looking after more data than is necessary.

If you interact with people through your website, be aware of what your employees are asking or discussing with visitors. Some people are willing to share unexpected and detailed personal data, such as the medical information, while others won’t even want to give their name. Employees should be trained to understand the issues, particularly junior and younger employees doing this job as privacy concerns are more than legal compliance. It applies to what information you ask for, as well as what information your companies receive whether they ask for it and how you look after the information you are given.

2. Don’t make the mess any bigger

Follow some basic steps so you don’t become part of the problem, or the latest embarrassing example for others.

Is your website compliant with privacy and personal data obligations? If so, when did you confirm this and when will you check again?  Is the website compliant everywhere it needs to be (in the world, that is. Not in the policy itself).

You might want to take another look, just to be sure.

3. Now keep up with the issue

To stay on top, when you get to the end of the second point, go back to the first and do it again. This issue will change as the uses of information evolve and as will how we react, particularly as we become more aware of how much information can be known about us through regular “normal” dealings. Expect to be asked questions about what else you now know about people and why.

If you do enough and have a good reputation for dealing with privacy and personal data issues, you will probably also earn the trust of your customers.  Their trust is an asset of huge value, earned through the bargain your customers made when they handed you their valued and valuable name.

If you’re not sure what to do, it’s a good sign.

If you’re not feel entirely sure about what is needed or what you should do, that’s not a bad thing.  False confidence about these issues would be far worse.  You will also be in good company, with the rest of us who must keep up to date to stay on top of it all.  This is an area which changes often and is affected by who and how your website is being used.

Keeping your new asset safe with 2 simple questions

You can protect this asset and understand what might affect its value if you ask two questions before doing something that requires you to use or rely on customer information:

  1. Would a customer be surprised to find out that’s what the information is being used for?
  2. How would I feel if someone else used something they knew about me and did what we’re about to do as a result?

If the answer suggests that might not be what you or your customer bargained for (or if the answer includes the word “creepy”) you should probably think again!